PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1462 keras-team CVE debrief

A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-controlled code execution during model inference under the victim's privileges. The issue arises due to the unconditional loading of external SavedModels, serialization of attacker-controlled file paths, and the lack of validation in the `from_config()` method. The vulnerability has a CVSS score of 7.8 and is classified as HIGH severity. The CVE was published on April 13, 2026, and last modified on June 30, 2026.

Vendor
keras-team
Product
keras-team/keras
CVSS
HIGH 7.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-13
Original CVE updated
2026-06-30
Advisory published
2026-04-13
Advisory updated
2026-06-30

Who should care

Organizations using the keras package, particularly those loading external models or using `safe_mode=True`, should be aware of this vulnerability and take steps to mitigate it. This includes reviewing model sources, validating model configurations, and ensuring that only trusted models are loaded. Additionally, defenders should monitor for potential exploitation attempts and update their keras package to a patched version as soon as possible.

Technical summary

The vulnerability is caused by the `TFSMLayer` class in the keras package, which unconditionally loads external TensorFlow SavedModels during deserialization of `.keras` models, even when `safe_mode=True`. This allows attackers to execute arbitrary code during model inference. The issue is due to the lack of validation in the `from_config()` method and the serialization of attacker-controlled file paths. The vulnerability can be exploited by loading a maliciously crafted `.keras` model, which can lead to arbitrary code execution under the victim's privileges.

Defensive priority

High priority should be given to patching the keras package to a version that addresses this vulnerability. In the meantime, defenders can implement compensating controls, such as validating model sources and configurations, and monitoring for potential exploitation attempts.

Recommended defensive actions

  • Patch the keras package to a version that addresses this vulnerability.
  • Review model sources and validate model configurations to ensure only trusted models are loaded.
  • Monitor for potential exploitation attempts and update threat detection rules accordingly.
  • Implement additional security controls, such as input validation and model sanitization.
  • Consider using alternative model formats or frameworks that are not vulnerable to this issue.

Evidence notes

The CVE-2026-1462 vulnerability was reported by security researchers at Huntr and is tracked by multiple sources, including NVD and Red Hat. The vulnerability affects the keras package, version 3.13.0, and has a CVSS score of 7.8. The CVE was published on April 13, 2026, and last modified on June 30, 2026.

Official resources

This article is AI-assisted and based on the supplied source corpus.